Wednesday, 23 September 2015

American Mass Surveillance of EU citizens: Is the End Nigh?

Steve Peers

*This blog post is dedicated to the memory of the great
privacy campaigner Caspar Bowden, who passed away recently. What a tragedy he
did not leave to see the developments in this case. To continue his work, you
can donate to the Caspar Bowden Legacy Fund here.

A brilliant university student takes on the hidebound
establishment – and ultimately wins spectacularly. That was Mark Zuckerberg,
founding Facebook, in 2002. But it could be Max Schrems, taking on Zuckerberg and Facebook, in the near future – if the
Court of Justice decides to follow the Advocate-General’s opinion in the
Schrems case, released today.

In fact, Facebook is only a conduit in this case: Schrems’
real targets are the US government (for requiring Facebook and other Internet companies
to hand over personal data to intelligence agencies), as well as the EU
Commission and the Irish data protection authority for going along with this.
In the Advocate-General’s opinion, the Commission’s decision to allow EU
citizens’ data to be subject to mass surveillance in the US is invalid, and the
national data protection authorities in the EU must investigate these flows of
data and prohibit them if necessary. The case has the potential to change much
of the way that American Internet giants operate, and to complicate relations
between the US and the EU in this field.

Background

There’s more about the background to this litigation here,
and Simon McGarr has summarised the CJEU hearing in this case here. But
I’ll summarise the basics of the case again here briefly.

Max Schrems is an Austrian Facebook user who was disturbed
by Edward Snowden’s revelations about mass surveillance by US intelligence
agencies. Since such mass surveillance is put into effect by imposing
obligations to cooperate upon Internet companies, he wanted to complain about Facebook’s
transfers of his personal data to the USA. Since Facebook’s European operations
are registered in Ireland, he had to bring his complaints to the Irish data protection
authority.

The legal regime applicable to such transfers of personal
data is the ‘Safe Harbour’ agreement between the EU and the USA, agreed in 2000
– before the creation of Facebook and some other modern Internet giants, and
indeed before the 9/11 terrorist attacks which prompted the mass surveillance. This
agreement was put into effect in the EU by a decision of the Commission,
which used the power conferred by the EU’s current data protection Directive
to declare that transfers of personal data to the USA received an ‘adequate
level of protection’ there.

The primary means of enforcing the arrangement was
self-certification of the companies concerned (not all transfers to the USA
fall within the scope of the Safe Harbour decision), enforced by the US
authorities. But it was also possible
(not mandatory) for the national data protection authorities which enforce EU
data protection law to suspend transfers of personal data, if the US
authorities or enforcement system have found a breach of the rules, or on the following
further list of limited grounds set out in the decision:

there is a
substantial likelihood that the Principles are being violated; there is a
reasonable basis for believing that the enforcement mechanism concerned is not
taking or will not take adequate and timely steps to settle the case at issue;
the continuing transfer would create an imminent risk of grave harm to data
subjects; and the competent authorities in the Member State have made
reasonable efforts under the circumstances to provide the organisation with
notice and an opportunity to respond.

In fact, Irish law prevents
the national authorities from taking up this option. So the national data
protection authority effectively refused to consider Schrems’ complaint. He
challenged that decision before the Irish High Court, which doubted that this system
was compatible with EU law (or indeed the Irish constitution). So that court
asked the CJEU to rule on whether national data protection authorities (DPAs) should
have the power to prevent data transfers in cases like these.

The Opinion

The Advocate-General first of all answers the question which
the Irish court asks, and then goes on to examine whether the Safe Harbour
decision is in fact valid. I’ll address those two issues in turn.

In the Advocate-General’s view, national data protection authorities
have to be able to consider claims that flows of personal data to third countries
are not compatible with EU data protection laws, even if the Commission has
adopted a decision declaring that they are. This stems from the powers and
independence of those authorities, read in light of the EU Charter of
Fundamental Rights, which expressly refers to DPAs’ role and independence. (On
the recent CJEU case law on DPA independence, see discussion here). It’s
worth noting that the new EU data protection law under negotiation, the data
protection Regulation, will likely confirm and even enhance the powers and
independence of DPAs. (More on that aspect of the proposed Regulation here).

On the second point, the opinion assesses whether the Safe
Harbour Decision correctly decided that there was an ‘adequate level of
protection’ for personal data in the USA. Crucially, it argues that this
assessment is dynamic: it must take account of the protection of personal data now, not just when the Decision was
adopted back in 2000.

As for the meaning of an ‘adequate level of protection’, the
opinion argues that this means that third countries must ensure standards ‘essentially
equivalent to that afforded by the Directive, even though the manner in which
that protection is implemented may differ from that’ within the EU, due to the
importance of protecting human rights within the EU. The assessment of
third-country standards must examine both the content of those standards and
their enforcement, which entailed ‘adequate guarantees and a sufficient control
mechanism’, so there was no ‘lower level of protection than processing within
the European Union’. Within the EU, the essential method of guaranteeing data
protection rights was independent DPAs.

Applying these principles, the opinion accepts that personal
data transferred to the USA by Facebook is subject to ‘mass and indiscriminate
surveillance and interception’ by intelligence agencies, and that EU citizens
have ‘no effective right to be heard’ in such cases. These findings necessarily
mean that the Safe Harbour decision was invalid for breach of the Charter and
the data protection Directive.

More particularly, the derogation for the national security
rules of US law set out in the Safe Harbour principles was too general, and so
the implementation of this derogation was ‘not limited to what is strictly
necessary’. EU citizens had no remedy against breaches of the ‘purpose
limitation’ principle in the US either, and there should be an ‘independent
control mechanism suitable for preventing the breaches of the right to privacy’.

The opinion then assesses the dispute from the perspective
of the EU Charter of Rights. It first concludes that the transfer of the
personal data in question constitutes interference with the right to private
life. As in last year’s Digital Rights Ireland
judgment (discussed here), on the validity of the EU’s data retention
directive, the interference with rights was ‘particularly serious, given the
large numbers of users concerned and the quantities of data transferred’. In
fact, due to the secret nature of access to the data, the interference was ‘extremely
serious’. The Advocate-General was also concerned about the lack of information
about the surveillance for EU citizens, and the lack of an effective remedy,
which breaches Article 47 of the Charter.

However, interference with these fundamental rights can be justified
according to Article 52(1) of the Charter, as long as the interference is ‘provided
for by law’, ‘respect[s] the essence’ of the right, satisfies the ‘principle of
proportionality’ and is ‘necessary’ to ‘genuinely meet objectives of general
interest recognized by’ the EU ‘or the need to protect the rights and freedoms
of others’.

In the Advocate-General’s view, the US law does not respect
the ‘essence’ of the Charter rights, since it extends to the content of the
communications. (In contrast, the data collected pursuant to the data retention
Directive which the CJEU struck down last year concerned only information on
the use of phones and the Internet, not the content of phone calls and Facebook
posts et al). On the same basis, he objected to the ‘broad wording’ of the relevant
derogations on national security grounds, which did not clearly define the ‘legitimate
interests’ at stake. Therefore, the derogation did not comply with the Charter,
‘since it does not pursue an objective of general interest defined with
sufficient precision’. Moreover, it was too easy under the rules to escape the
limitation that the derogation should only apply when ‘strictly necessary’.

Only the ‘national security’ exception was sufficiently
precise to be regarded as an objective of general interest under the Charter,
but it is still necessary to examine the ‘proportionality’ of the interference.
This was a case (like Digital Rights
Ireland) where the EU legislature’s discretion was limited, due to the
importance of the rights concerned and the extent of interference with them.
The opinion then focusses on whether the transfer of data is ‘strictly
necessary’, and concludes that it is not: the US agencies have access to the
personal data of ‘all persons using electronic communications services, without
any requirement that the persons concerned represent a threat to national
security’.

Crucially, the opinion concludes that ‘[s]uch mass,
indiscriminate surveillance is inherently disproportionate and constitutes an
unwarranted interference’ with Charter rights. The Advocate-General agreed that
since the EU and the Member States
cannot adopt legislation allowing for mass surveillance, non-EU countries ‘cannot
in any circumstances’ be considered to ensure an ‘adequate level of protection’
of personal data if they permit it either.

Furthermore, there were not sufficient guarantees for
protection of the data. Following the Digital
Rights Ireland judgment, which stressed the crucial importance of such
guarantees, the US system was not sufficient. The Federal Trade Commission
could not examine breach of data protection laws for non-commercial purposes by
government security agencies, and nor could specialist dispute resolution
bodies. In general, the US lacks an independent supervisory authority, which is
essential from the EU’s perspective, and the Safe Harbour decision was
deficient for not requiring one to be set up. A third country cannot be
considered to have ‘an adequate level of protection’ without it. Furthermore,
only US citizens and residents had access to the judicial system for
challenging US surveillance, and EU citizens cannot obtain remedies for access
to or correction of data (among other things).

So the Commission should have suspended the Safe Harbour
decision. Its own reports suggested that the national security derogation was
being breached, without sufficient safeguards for EU citizens. While the
Commission is negotiating revisions to that agreement with the USA, that is not
sufficient: it must be possible for the national supervisory authority to stop
data transfers in the meantime.

Comments

The Advocate-General’s analysis of the first point (the
requirement that DPAs must be able to stop data flows if there is a breach of EU
data protection laws) is self-evidently correct. In the absence of a mechanism
to hear complaints on this issue and to provide for an effective remedy, the
standards set out in the Directive could too easily be breached. Having
insisted that the DPAs must be fiercely independent of national governments,
the CJEU should not now accept that they can be turned into the tame poodles of
the Commission.

On the other hand, his analysis of the second point (the
validity of the Safe Harbour Decision) is more problematic – although he
clearly arrives at the correct conclusion. With respect, there are several
flaws in his reasoning. Although EU law requires strong and independent DPAs
within the EU to ensure data protection rights, there is more than one way to
skin this particular cat. The data protection Directive notably does not expressly require that third
countries have independent DPAs. While effective remedies are of course
essential to ensure that data protection law (likely any other law) is actually
enforced in practice, those remedies do not necessarily have to entail an
independent DPA. They could also be ensured by an independent judiciary. After
all, Americans are a litigious bunch; Europeans could join them in the courts. But
having said that, it is clear that in national security cases like this one, EU
citizens have neither an administrative nor a judicial remedy worth the name in
the USA. So the right to an effective remedy in the Charter has been breached;
and it is self-evident that processing information from Facebook interferes with
privacy rights.

Is that limitation of rights justified, however? Here the
Advocate-General has muddled up several different aspects of the limitation
rules. For one thing, the precision of the law limiting rights and the public interest
which it seeks to protect are too separate things. In other words, the public interest does not have to be
defined precisely; but the law which limits
rights in order to protect the public interest has to be. So the opinion is
right to say that national security is a public interest which can justify limitation
of rights in principle, but it fails to undertake an examination of the
precision of the rules limiting those rights. As such, it omits to examine some
key questions: should the precision of the law limiting rights be assessed as
regards the EU law, the US law, or both? Should the US law be held to the same
standards of clarity, foreseeability and accessibility as European states’ laws
must be, according to the ECHR jurisprudence?

Next, it’s quite unconvincing to say that processing the
content of communications interferes with the ‘essence’ of the privacy and data
protection rights. The ECHR case law and the EU’s e-privacy directive expressly
allow for interception of the content of communications in specific cases, subject to strict safeguards. So it’s those two
aspects of the US law which are problematic: its nature as mass surveillance,
plus the inadequate safeguards.

On these vital points, the analysis in the opinion is
correct. The CJEU’s ruling in Digital
Rights Ireland suggests, in my view, that mass surveillance is inherently a
problem, regardless of the safeguards
in place to limit its abuse. This is manifestly the Advocate-General’s approach
in this case; and the USA obviously has in place mass surveillance well in
excess of the EU’s data retention law. The opinion is also right to argue that EU rules banning mass surveillance apply to the Member States too, as I discuss here. But even if this interpretation is
incorrect, and mass surveillance is only a problem if there are weak safeguards, then the Safe Harbour decision still violates
the Charter, due to the lack of accessible safeguards for EU citizens as
discussed above. Hopefully, the Court of Justice will confirm whether mass
surveillance is intrinsically problematic or not: it is a key issue for Member
States retaining data by way of derogation from the e-privacy Directive, for
the validity of EU treaties (and EU legislation) on specific issues such as
retaining passenger data (see discussion here of a pending case), and for
the renegotiation of the Safe Harbour agreement itself.

This brings us neatly to the consequences of the CJEU’s
forthcoming judgment (if it follows the opinion) for EU/US relations. Since the
opinion is based in large part upon the EU Charter of Rights, which is primary
EU law, it can’t be circumvented simply by amending the data protection
Directive (on the proposed new rules on external transfers under the planned
Regulation, see discussion here). Instead, the USA must, at the very
least, ensure that adequate remedies for EU citizens and residents are in place
in national security cases, and that either a judicial or administrative system
is in place to enforce in practice all rights which are supposed to be guaranteed
by the Safe Harbour certification. Facebook and others might consider moving
the data processing of EU residents to the EU, but it’s hard to see how this
could work for any EU resident with (for instance) Facebook friends living in
the USA. Surely in such cases processing of the EU data in the USA is
unavoidable.

Moreover, arguably it would not be sufficient for the
forthcoming EU/US trade and investment agreement (known as ‘TTIP’) to provide for
a qualified exemption for EU data
protection law, along the lines of the WTO’s GATS. Only a complete immunity of
EU data protection law from the TTIP – and any other EU trade and investment
agreements – would be compatible with the Charter. Otherwise, companies like
Facebook and Google might try to invoke the controversial investor dispute
settlement system (ISDS) every time a judgment like Google Spain or (possibly) Schrems
cost them money.